Description

Got some time, around 50$, a soldering iron and want to secure your passwords ? This talk presents an open hardware-based password manager that anyone can build and use.

This project is based around a Teensy 3.0 device. Since it can emulate a keyboard, we started building a secure hardware storage using a 1.8 TFT LCD, touch input, a SD card reader and a 3D printed box. Using various libs and many arduino-fu, we managed to design a rather simple yet secure (we hope so) password storage that stores the passwords on the SD card and can type them on your laptop. As the Teensy also offers the possibility to use a RTC with the addition of a simple oscillator, we also added the possibility to use it as a hardware token that supports the TOTP algorithm. In this presentation, we will show the following things :
* What we did to protect the passwords, both on the SD card and in memory
* The tricks we added in order to prevent some attacks like timing attacks for example
* What encryption algorithms we used We'll finish with the best part : Everything is released as open source software.

4 Passwords suck ● Not cool, but they are used everywhere ● Managing passwords is hard – Lots of passwords to remember – We tend to reuse passwords or have a password scheme

5 Password managers ● Good thing – Secure ! – You only need to remember one password to access all the others ● A lot of them exist

6 Password managers ­ cont ● They also suck ! – If someone gets access to your database, you are at risk ● keepass2john, passwordsafe cracker, ... – How do you use it while on travel ? ● Many of them are available on a single platform – Do you really want to install the application on an unknown machine ? ● Or type your master password on it ?

10 What can we do ? ● Passwords are like keys to our online places ● Why don't we store and use them like real keys ? – You always have them on you – You may have a backup, but you (probably) know where they are – You wouldn't let anyone take care of them

11 Introducing Pa55ware ● Like a keyring, but for passwords ● Keep your passwords with you ● Use them when you want to

12 Why Pa55ware ? ● Manage PA55w0rd$ with hardWARE – With a (strong) Belgian accent, it means sieve ● And also because passware is already used http://commons.wikimedia.org/wiki/File:Sieve.jpg

13 Pa55ware ­ Features ● Easy to use – 4 touch buttons to navigate – A LCD screen to view your passwords – A client application is used to manage data stored on the device

14 Pa55ware ­ Features ● Safe to use – Everything is encrypted using AES ● The passwords and data are stored on a SD card ● The key is stored on the device, there is no way to retrieve it – A PIN code is used to unlock the device ● Make it wrong too many times and the AES key is gone

15 Pa55ware ­ Features ● Practical to use – Pa55ware can handle your OTP ● Currently only TOTP is implemented (Google auth) – It can type your passwords for you ● Acts like a USB keyboard ● Works on nearly every kind of device

16 Pa55ware ­ Features ● Free to use – Everything is open source ● GPLv2 licensed ● Yes, even the case – It's easy to make one ● You'll need a soldering iron and access to a 3D printer

18 Pa55ware core ● The main component is a Teensy 3.0 – ARM core – Many inputs/outputs – Capacitive (touch) inputs are available – Can be used with the Arduino IDE – Has an internal RTC ● It's just awesome ! http://www.pjrc.com/teensy/teensy3.png

19 Code ● Everything is written using the Arduino IDE – Easy to get into it ● Easily customisable – Edit the initial variables and you're good

20 SD card storage ● Uses a simple FAT filesystem – May be used to create backups ● Each account is stored in a separate binary file ● Drawback : Filenames are limited in length

22 Sensitive data ● The AES key is the most important thing to protect – It is loaded from the internal EEPROM once the device is unlocked – AES key is cleared from memory as soon as the device is locked again

23 Memory management ● Every cleartext data is cleared as soon as it is not used anymore – This prevents the RAM from being read externally ● Efforts have been made to make it efficient and bug free

24 Communication ● The app's link uses a serial communication with the Teensy – You have to enable serial communication on the device to allow access – You are only allowed to push new data ● You cannot access the password using this link – The link is also used to synchronize the RTC

31 Why are we here ? ● This project needs to be audited – We may have made logical mistakes – Maybe there are bugs ? ● We suck at crypto – We think we did well, but we may be wrong ● We have basic knowledge of hardware hacking – Maybe there are ways to extract data ● https://github.com/Baldanos/pa55ware

32 That's all ! ● Any questions ? ● Feel free to come and see Pa55ware live

Conferencia PasswordsCon | Mejor Antivirus

These presentations are classified and categorized, so you will always find everything clearly laid out and in context.
You are watching BOY Assessment presentation right now. We are staying up to date!